The entryway to the Providence Public School Department’s administrative offices are seen on Westminster Street from an angle. (Alexander Castro/Rhode Island Current)
About 201 gigabytes of data allegedly stolen from the Providence Public School Department was released after the deadline to pay a $1 million ransom Wednesday morning, according to an update to an online landing page allegedly hosted by the ransom group Medusa.
Shortly after the deadline passed, Superintendent Javier Montañez issued a statement confirming a third-party trespassed on the school district’s computers.
“We recently obtained confirmation that unauthorized access occurred on our network,” the superintendent wrote. “Moreover, an unverified, anonymous group has claimed that they have PPSD files. While we cannot confirm the authenticity of these files and verify their claims, there could be concerns that these alleged documents could contain personal information.”
Providence school officials are quiet on data breach details
“Again, at this time we are still gathering more information and are conducting an analysis that will provide us greater clarity on what may have occurred, what may have been impacted, and what actions may need to be taken.”
PPSD spokesperson Jay G. Wégimont said in an email that the letter went out at approximately 11:30 a.m.
The admission of an anonymous group’s involvement is new, as the district was careful to label the intrusion in general terms since detecting what a district letter called “irregular activity” on Sept. 11. The internet was shut down the same day as a precautionary measure to prevent further intrusion.
The hacker group Medusa taking ownership of the attack was reported well before the district’s confession, including on tech news site Comparitech on Sept. 17.
As Rhode Island Current previously reported, a file explorer has been included on the alleged ransom landing page since last week, and while it does not provide access to any files, the file and folder names do suggest the leak’s potential contents. The leak’s contents appear to resemble a file server for administrative and staff documents.
But to see the actual files, one would need to contact the hackers directly: The ransom page does not include direct download links, and instead redirects interested parties to use an encrypted messaging app to contact Medusa “support” for access to the complete data dump.
State penalties for illegal trespassing of networks can include felony charges, jail time and fines of up to $5,000, per state statute.
The countdown clock has been changed to now proclaim ‘PUBLISHED’ on the Medusa blog, which claims that Providence Public School District data is available for download after a $1 million ransom demand went unmet. (Screenshot)
‘Low hanging fruit’
School districts have become easy and popular targets because many don’t have top of the line systems and enough IT expertise despite their large budgets, said Preston Green III, a professor of urban education, educational leadership and law at the University of Connecticut.
“Cybersecurity people have said that school districts are low hanging fruit,” Green said. “They have archaic systems … and they don’t update them and they have money. William ‘The Actor’ Sutton was asked why he robs banks. ‘Because that’s where the money is.’”
The clock is running on ransomware attack against Providence schools
The Providence school district has been under state control since 2019, with oversight by the Rhode Island Department of Education (RIDE) — an arrangement that was renewed in August for up to another three years.
Victor Morente, a RIDE spokesperson, said in an email Wednesday that the state agency is “aware of the recent update provided by PPSD and has been working to ensure state support is available for the District. As noted in the letter to the community, an analysis is ongoing which will provide more information on what may have taken place.”
Wégimont also confirmed in an email Wednesday morning that the district was still investigating specifics: “Please note that, at this time we are still gathering more information and are conducting an analysis that will provide us greater clarity on what may have occurred, what may have been impacted, and what actions may need to be taken.”
The forensic analyses that follow ransomware attacks can be costly and time-consuming. One survey relayed that the average recovery time for ransomware attacks is 22 days. A 2021 Sophos report showed that “the spectrum of ransom payments was very wide.” The most common payment among victims Sophos surveyed was $10,000 while the highest was $3.2 million.
Despite the severity of ransomware attacks, many intruders follow the same patterns or set off the same alarms, according to an article on Cado Security: “Today, almost every targeted ransomware attack starts with an initial spearphishing compromise.” That means hackers gain access through phishing links, typically sent over email to people in targeted organizations.
Providence superintendent Javier Montañez speaks with reporters on Aug. 29, 2024, after the state education department renewed its control over the capital city’s public schools. Montañez issued a statement on Wednesday morning, Sept. 25, that ‘anonymous’ threat actors had accessed school information, but the full extent wasn’t known yet. (Alexander Castro/Rhode Island Current)
Providence is far from the first school district to endure a ransomware attack. In neighboring Massachusetts, Nantucket Public Schools suffered a ransom attack in early 2023, and schools closed down for two days. A ransomware attack on Tucson Unified School District in Arizona attracted headlines in 2023 and eventually led the district to contemplate a budget increase because of the hack’s financial impact.
Minneapolis Public Schools (MPS), meanwhile, was another district purportedly hit by Medusa in 2023, and months later notified approximately 100,000 people that their information had been compromised in the attack.
Ahead of the leak deadline, software engineer Ian Coldwater wrote on X that the Minnesota district “hasn’t been forthcoming” about the leak and provided a thread of identity theft and credit monitoring resources for families who might be affected.
Coldwater, who identified themself as a “MPS parent and a cybersecurity professional,” tweeted that the aftershocks of breach events can take time to appear, and that it’s important to be proactive about protecting personal information in the wake of a cyberattack.
“I’m not telling you to panic,” Coldwater wrote. “I’m telling you to know and prepare.”
Connections restored
Meanwhile, the internet is gradually returning to Providence schools, and the district is “well on our way back to normal operations,” wrote Deputy Superintendent of Operations Zack Scott in a letter Sunday to the PPSD community.
“As of today, I am glad to report that internet connectivity is available at schools after the district temporarily disconnected internet connections out of an abundance of caution,” Scott wrote. “On Monday, students and staff members will be able to use Chromebooks throughout our schools with other devices being reconnected in the coming week.”
Scott reiterated that a network analysis was underway and that more information would be available soon.
The lack of internet access just two weeks into the new school year was emphasized in initial media reports about the breach — but the first PPSD letter about the outage, dated Sept. 12, stressed that “the District shut down the network” following the recommendation of their third-party IT consultant. This approach follows standard protocol for when a ransomware attack is suspected.
According to the federal Cybersecurity and Infrastructure Security Agency, isolating and powering down affected devices is a crucial first step in combating further damage.
“If several systems or subnets appear impacted, take the network offline at the switch level. It may not be feasible to disconnect individual systems during an incident,” the agency advises on their website. (Switches allow connection between devices and internet-connected routers.)
Maribeth Calabro, president of the Providence Teachers Union, said in an email Wednesday morning that Providence’s “resilient” teachers and students powered through the lack of connectivity.
“Working through the internet loss has been difficult but not insurmountable,” Calabro wrote. “There is a certain level of stress and anxiety that comes with the sudden loss of internet and a level of concern for the unknown. While teachers express frustration and nervousness about any new issues or impact that will occur down the road, they have not let this issue impact their instruction or morale.”
Editor-in-Chief Janine L. Weisman contributed reporting to this story.
GET THE MORNING HEADLINES DELIVERED TO YOUR INBOX